| From: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
|---|---|
| To: | Alexey Klyukin <alexk(at)hintbits(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: implement subject alternative names support for SSL connections |
| Date: | 2014-09-15 13:17:37 |
| Message-ID: | 5416E6F1.3080907@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 09/15/2014 01:44 PM, Alexey Klyukin wrote:
>>> Committed, with that change, ie. the CN is not checked if SANs are present.
>
> Actually, I disagree with the way the patch ignores the CN. Currently,
> it skips the
> CN unconditionally if the SubjectAltName section is present. But what
> RFC 6125 says
> is:
>
> "If a subjectAltName extension of type dNSName is present, that MUST
> be used as the identity. Otherwise, the (most specific) Common Name
> field in the Subject field of the certificate MUST be used."
>
> This means that we have to check that at least one dNSName resource is
> present before
> rejecting to examine the CN. Attached is a one-liner (excluding
> comments) that fixes this.
Ok, good catch. Fixed.
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Korotkov | 2014-09-15 13:58:11 | Triconsistent catalog declaration |
| Previous Message | Heikki Linnakangas | 2014-09-15 12:41:22 | Re: WAL format and API changes (9.5) |